(U) Most US school districts as of 23 March 2020 are and will remain closed until the end of the academic school year or “until further notice” because of COVID-19, according to data provided by a Maryland-based online publication that provides scholastic news and analysis. This Article assumes that while pre-kindergarten through 12th grade schools, institutions of higher education, and business and trade schools are closed, many are relying on internet-enabled distance learning (eLearning) alternatives in place of traditional classroom instruction.

(U//FOUO) We assess cybercriminals likely view schools’ greater reliance on eLearning tools due to the pandemic as an opportunity to conduct a range of criminal activity against educational institutions, faculty, and students who use these tools. We base this judgment on examples of credential theft, advertisements of remote access, and cyber-enabled extortion against students, faculty, staff, alumni, and educational institutions.

(U) Credential theft is a cybercrime involving the unlawful attainment of an organizations’ or individual’s password(s) with the intent to access and abuse or exfiltrate critical data and information, according to a US network traffic analysis company. Cybercriminals often work to identify users and devices that will provide access to sensitive data. Credential-based attacks open the door for more repeatable attacks, as they allow threat actors to assume the identity of users who are authorized to access targeted data, according to the same report.

» (U) For cost savings: Iranian Government-affiliated cyber actors from late 2019 to early 2020 were ordered to steal students’ login credentials from universities throughout Europe, Australia, and the United States, according to a Dutch online press report citing a US consultancy firm claiming to have discovered the campaign. The actors posted the credentials on a forum (that also hosts login data for approximately 5,000 educational institutions, including high schools) for Iranian students to access libraries and other resources to which they would not normally have access, according to the same report.

» (U) For profit: Cybersecurity researchers in March 2017 identified 13,930,176 e-mail addresses and passwords belonging to faculty, staff, students, and alumni at US higher education institutions (some freely available and others listed for between $3.50 and $10) on dark web sites—79 percent of which were uploaded within the previous 12 months—according to a US advocacy group’s report on cybercriminal activity affecting US universities. The report notes school credentials are attractive to buyers for three reasons: higher education servers are designed for many users, they are almost always on, thus giving malicious cyber actors confidence that compromised infrastructure will remain available for use; cyber actors are attracted to the vast amounts of innovative intellectual property at universities; and buyers can use university credentials to get discounts on popular goods and services normally reserved for students, faculty, and staff, according to the same report.

(U) Identity theft: Personally identifiable information (PII) can be any piece of information meant to identify a specific individual, which presents opportunities for financial gain to criminal entities who can open lines of credit or take out mortgages, according to an Irish multinational consumer credit reporting company’s website. The value of PII listed in underground forums ranges from $1 – $2,000, depending on the specific information, according to a second article from the same company. We assume that actors steal PII from academic entities for financial gain. We also assume that eLearning necessitates additional use of file-sharing, collaboration, and communication platforms to which users must register with PII.

…

» (U) Cyber actors in 2017 compromised a Montana-based school district’s network where they obtained information about past and present students, parents, and staff members including PII, private health information, personal information from counselors and social workers, and academic records, according to a Montana-based media report and the actors’ ransom note. The actors’ ransom note also hinted that that students’ private lives had been recorded through webcams on school-issued laptops. The actors demanded $150,000 in bitcoin in exchange for not publicizing the information, according to the same report.